ClusterWideNetworkPolicy deny to CIDR not enforced #15198
Description
Bug report
General Information
I am running a Kubernetes cluster on AWS and I want to restrict access to the AWS metadata service by default such that it is opt in. It seems that the CiliumClusterwideNetworkPolicy is not enforced when using egressDeny with toCIDR.
- Cilium version (run
cilium version)
# cilium version
Client: 1.7.5 f524ca028 2020-06-12T14:10:36+02:00 go version go1.13.12 linux/amd64
Daemon: 1.7.5 f524ca028 2020-06-12T14:10:36+02:00 go version go1.13.12 linux/amd64
- Kernel version (run
uname -a)
# uname -r
5.4.92-flatcar
Policy that is not getting enforced by cilium:
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
name: "block-aws-metadata-service"
spec:
endpointSelector:
matchExpressions:
- key: k8s:io.kubernetes.pod.namespace
operator: NotIn
values:
- kube-system
egressDeny:
- toCIDR:
- 169.254.169.254/32
How to reproduce the issue
kubectl applythe "block-aws-metadata-service" policy to the cluster- exec into a pod that is not in kube-system and run
curl http://169.254.169.254
I would expect that this request will time out, but it does succeed.
Metadata
Metadata
Assignees
Labels
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.This is a bug in the Cilium logic.This was reported by a user in the Cilium community, eg via Slack.These issues are not marked stale by our issue bot.Impacts whether traffic is allowed or denied based on user-defined policies.